Insider Use and Abuse: Identifying Internal Threats and How to Mitigate Them

Insider Use and Abuse: Identifying Internal Threats and How to Mitigate Them

With some of the largest hacks of all time spreading across the headlines over the last few months from Equifax to Uber, businesses are becoming increasingly aware of the threat they face from outside sources. What many business leaders often fail to recognize until it’s too late is insider use and abuse, intentional or not. Here are some major insider threats today’s organizations should be aware of and how to prevent them from costing your business.

The Insider Threat

The very people businesses require to stay fully functional are also one of the largest threats it faces. Not only do organizations of every size have to worry about outside cyber threats, they have to be prepared for insider threats as well that could cost them system downtime, loss of data, or worse.

The United States Computer Emergency Readiness Team (U.S. CERT) defines an insider threat as “the potential for an individual who has or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.”

A 2017 Data Breach Investigations Report by Verizon discovered that 25 percent of breaches involved internal actors and 66 percent of breaches were from malware installed via malicious email attachments opened by unsuspecting employees. A whopping 80 percent of hacking-related breaches in the report were due to stolen or weak passwords. The Verizon report shows the two industries most commonly targeted were the financial and healthcare sectors. Furthermore, small businesses were at a greater risk than larger companies with 61 percent of data breach victims from this year’s report having fewer than 1,000 employees demonstrating that no organization is safe.

Malicious Threats

The U.S. CERT defines a malicious threat as a “current or former employee, contractor, or business partner who has or had access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.”

The Verizon report previously mentioned found “In 60 percent of cases, insiders abscond with data in the hope of converting it into cash in the future. But sometimes it’s a case of unsanctioned snooping (17 percent) or even taking data to a new employer or to start a rival company (15 percent).”

In other words, a malicious insider threat is one that is intentional. These are people who knowingly overstep their authority and privilege to access and either steal or misuse information. Examples of malicious threats include:

• Insider breaches and hacks
• Theft of proprietary data or intellectual property
• Industrial espionage or IT sabotage
• Fraud
• Improper disposal of documents or leaving doors unlocked

Whether current or former employees, a malicious insider will find every way possible to exploit a business’s weaknesses to achieve their goals. Malicious insiders can cause businesses serious problems ranging from a damaged reputation and loss of business to millions in fines.

Unintentional Threats

An unintentional insider threat, per U.S. CERT, “is a current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and who, through action or inaction without malicious intent, causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s information or information systems.”

An unintentional insider threat can occur due to “failure in human performance,” according to U.S. CERT, which can mean anything from an employee clicking on an infected link in an email from an unknown source to something as simple as leaving a filing cabinet unlocked or an external door propped open.

Employees, contractors, and business partners don’t have to be malicious to cost your business. Accidents happen and can be incredibly costly, especially for organizations in heavily regulated industries such as education or healthcare where breaches can lead to millions of dollars in fines and cleanup costs. Examples of common unintentional insider threats include:

• Falling for phishing attacks by clicking on suspicious links in email
• The accidental disclosure of information such as sending information to the wrong email address
• Physical loss of data such as losing papers or improper disposal of information
• Loss of portable equipment such as laptops, tablets, or phones with business information or access

A Growing Concern

According to the 2017 Threat Monitoring, Detection & Response report produced by Crowd Research Partners, insider threats continue to be a growing concern for IT professionals with a 51 percent increase reported in perceived threats over the past year. Inadvertent breaches (61 percent), those that were unintentional, were identified as the leading cause of concern.

Given the many challenges businesses face in today’s IT world, the detection and or mitigation of insider threats from negligent, malicious, and compromised users is a major concern for IT specialists and security teams, according to the report. Nearly 50 percent of respondents considered insider use and abuse a top challenge facing their team. It came in second only to the detection of advanced threats. A whopping 38 percent of respondents reported system downtime in the last 12 months with 33 percent also stating their organization had experienced disrupted business activities, reduced employee productivity, and deployment of IT resources to triage and remediate issues as a result.

Combating the Threat

There are several ways to combat the threat of insider misuse and abuse. From investing in better employee training to the rule of least privilege, businesses have several tools at their disposal for curbing internal risks to data and system security. Below are some of the best recommendations for combating internal threats to your business.

The Rule of Least Privilege

To begin with, your company should follow the rule of least privilege. This means employees should only be given the minimal access they need to fulfill their job duties. For example, a CEO’s secretary has very different needs than someone in sales or the company receptionist. Be sure your organization is not giving full system access to every employee as that is an unnecessary risk. This is also often a guideline for meeting government regulations in many industries.

Build a Budget and Training Program

A lack of budget, skilled and trained personnel, and security awareness among employees were the top three barriers IT experts said they struggled to adequately defend against, according to the Crowd Research Partners report. Business leaders have to dedicate the proper budget and time to defending against such threats by training every employee on how to work smarter when it comes to IT on at least an annual basis. Ideally, even more frequent training is advised so IT personnel can review the most recent threats with insiders to prevent unintentional breaches.

One of the best ways to avoid inadvertent breaches by those with insider access is to provide the proper training and retraining for all employees on a regular basis. According to the 2017 Threat Monitoring, Detection & Response report, “user training was identified by 57 percent of respondents as their leading method for combating such threats.”

All of your staff should know what websites are safe to visit, how to spot a suspicious link, and how to properly dispose of hard data such as copies and printed documents. Training programs can help increase employee awareness of threats and allow them to recognize their own errors as well as what it can cost the organization they are working for.

Shoulder Surfing & Sharing

While employees will collaborate at times, train them to avoid shoulder surfing. They should ask for privacy when entering login information and passwords and allow others the same privacy.

Emphasize that they should never share their login information or passwords with others. This is a mistake many of Edward Snowden’s colleagues made when he went to work collecting data at the National Security Administration. While they thought they were helping a coworker, he was using their shared access to collect data. In addition, train employees to never “share” their account with someone else or allow them to use it under their login and password. Employees should know that not only could a colleague cause damage to the company but they could be held accountable for any misuse or abuse that results.

Reporting Suspected Abuse & Misuse

A hallmark of a strong training program is to provide employees with a means of reporting suspected misuse and abuse. If an employee discovers or suspects misuse or abuse by someone within the company, they need to have a way of reporting it in order to help support the organization. Let your employees know who they can report to if they believe there is insider misuse or abuse occurring and to report it immediately.

Leverage Technology

Utilize technology to your organization’s advantage when it comes to addressing the threat of insider misuse and abuse. Implement two-factor authentication to limit the amount of damage that can be done with lost or stolen credentials. Encrypt sensitive data, patch vulnerabilities immediately, and implement change management systems and log files to give an early warning of breaches.

Additionally, there are more tools on the market today than ever before to allow you to monitor and log the activity of authorized users on your system. Such tools can allow you to watch where your employees are going on the internet, track what they are doing with their company email, and determine how much information they are downloading. Though these tools may not prevent an insider from causing a problem, they can help provide proof of misdeeds and even offer insight to prevent future misuse and abuse.

Implementing Safeguards

Every business should implement safeguards such as a strong spam filtering system, firewalls, encryption, and antivirus programs to ensure as much protection is in place as possible. Such programs can help prevent phishing emails from getting through to unsuspecting employees or alert them that they may be getting ready to open a malicious link. Limiting employee access to sites known to be malicious or for spreading viruses is also a wise recommendation.

In addition, most regulations also require businesses to have some form of surveillance. This is important for protecting business data from internal theft. All businesses should have perimeter surveillance that covers entry points such as gates and doors to record who is coming and going. There should also be cameras set to record points of internal interest such as hallways, the server room, and areas housing sensitive files. These cameras should be set to record at all times and those recordings should be kept for six months.

There are currently more sophisticated camera systems available offering a wide variety of special features. Some can be set to record only when someone enters a specific area. This saves recording space and data usage. You can even purchase camera systems that send you notifications via email or text if someone enters an area where they shouldn’t be so your business is secure around the clock.

Check Policies and Procedures

Review your policies and procedures regularly. For large businesses, this means quarterly reviews, while it is every six months for medium businesses, and smaller businesses can handle reviews of policies and procedures annually. Ensure your policies are up to date and understandable for every employee, not just those who know IT. Don’t give away the keys to your IT kingdom with weak policies that open the door for insider exploitation.

Implement a Four-Eyes Policy

To help eliminate the accidental dissemination of sensitive information, establish a four-eyes policy for publishing information. This will ensure all information your employees distribute has been reviewed by at least two people. Such a policy can help reduce the risk that someone inside the company unintentionally or maliciously leaks information.

A Stamp of Approval

An emerging tactic to gain access or information is for hackers to send employees an email compromise. For example, a company employee may receive an email request where “the CEO” orders a wire transfer of funds with an urgent and believable backstory. When it comes to external emails, request that your IT department mark all of them with an unmistakable stamp that every employee is trained to identify.

Changes in Access

Be prepared to make changes to employee access on a dime. Employees come and go and this can happen quickly. Should an employee be promoted, they may require additional access. If someone gives their notice, your IT experts should be contacted prior to the employee’s departure to remove all access to the business’s data and system as of their final date of employment. In the event that an employee must be dismissed for any reason, your IT department should be made aware immediately so it can take steps to end all business access as quickly as possible. Being able to make changes in IT access fluidly in real time is essential to business security.

Address Physical Security

The reality is that not all data theft happens online. When training employees, be sure to address the physical security of your organization as well. For example, society teaches us that it’s polite to hold the door for someone but it is also appropriate to ask to see an ID badge before letting someone into a secure entry. Train employees not to leave doors ajar when they are outdoors on break or waiting for a delivery person to arrive. These little things can allow big problems to walk right into your business.

Red Flags to Watch For

Though an analysis of more than 800 malicious insider attacks by U.S. CERT determined that there exists no standard profile of a malicious insider, your company should stay vigilant about watching for warning signs. Some things to watch for include:

• Someone bragging about the ability to cause damage to a company or its reputation
• Threats made by current or former employees
• Employees downloading large amounts of data
• A change in normal workplace behavior or patterns
• The use of USB devices

For assistance in mitigating insider misuse or abuse in your business or organization, contact Dox today for a free consultation at (585) 473-7766 or visit us at